The U.S. Justice Department has long said (and compliance officers have said it too) that a culture of compliance is what matters in regulatory enforcement actions, and can pay dividends in the form of smaller monetary penalties. Now we have a reminder from yet another important U.S. regulator about how important a culture of compliance truly is.
That message comes from the Office of Foreign Assets Control (OFAC), the United States’ primary enforcement agency for trade sanctions. OFAC recently issued an enforcement action against a bank in Oklahoma that had violated economic sanctions – except, the enforcement action didn’t impose any monetary penalties. Rather, OFAC only issued a “finding of violation” because the bank had demonstrated a strong commitment to doing the right thing.
What happened? As outlined in the OFAC settlement order, MidFirst Bank (the largest privately owned bank in the United States, with roughly $32 billion in assets) processed several dozen transactions in late 2020 for two account holders who had recently been added to U.S. sanctions lists. In total, MidFirst processed $604,000 worth of transactions over a two-week period, before the bank and its screening vendor realized that the two offending persons had been added to sanctions lists the prior month.
The violations arose because MidFirst and its screening vendor miscommunicated about the bank’s screening procedures. The vendor screened MidFirst’s new customers against U.S. sanctions lists every day, but screened all customers only once per month. MidFirst believed all customers were screened every day – so when its two existing customers were added to sanctions lists in mid-September 2020, the bank didn’t discover that issue until the next “full screen” cycle 14 days later. By then, the illicit transactions had been made.
So MidFirst did have a compliance program, but the program failed in this instance. That’s unfortunate, but failures do happen.
How a company then handles such failures is the true test of its culture of compliance – and that’s where MidFirst’s response is so instructive.
Management Commitment to Compliance
Once MidFirst executives discovered they had a violation, they took several immediate steps:
- They alerted OFAC to the violation, and cooperated in the ensuing investigation;
- The bank blocked its accounts for the two sanctioned individuals;
- Executives implemented a new manual process to rescreen all customers whenever U.S. sanctions lists were updated;
- The screening vendor began screening all MidFirst customers against U.S. sanctions lists every day.
In other words, MidFirst acted in accordance with its ethical and legal duties (reporting its violation to OFAC); improved its internal procedures to monitor risk (screening customers any time watch lists were updated); and worked with its screening vendor to remediate a specific weakness (increased the frequency of screening all customers from monthly to daily).
Compliance officers should be able to see the best practices afoot in MidFirst’s actions, because we talk about them in abstract terms all the time: Self-disclose the violation! Cooperate with regulators! Remediate the underlying weakness!
MidFirst’s actions are what those best practices look like in real practice. They are what happens when management has a culture of compliance, and a commitment to improving its performance after a compliance failure.
Applying That Lesson Broadly
Critics might say the MidFirst example is easy pickings, because most OFAC enforcement actions result in low fines (at least, lower than what’s permissible by statute) and they often involve a company that self-reported its violation.
That criticism misses the point, which is this: a demonstrable commitment to compliance pays dividends. The Justice Department has said as much for many years, but usually those warnings have been framed in the context of the Foreign Corrupt Practices Act.
Compliance officers need to communicate to the board, senior management, and leaders of First Line operating units that a culture of compliance is important in every context. That’s true for technically challenging branches of compliance like economic sanctions, as well as more easy-to-grasp fields like anti-discrimination or anti-harassment.
Eventually, every company will suffer some sort of compliance failure, despite having a robust program. That’s OK, if management has supported (and continues to support) a culture of doing the right thing. When regulators can see that commitment, they take it into account when reaching a misconduct settlement. In the ideal circumstance you might pay no penalties at all, much like MidFirst.
The question for chief compliance officers then becomes: How do you demonstrate that commitment to a culture of compliance? What do regulators want to see?
We could write whole books answering that question, but in brief, compliance officers would want to ponder:
- What actions did management take to handle a misconduct case, and how were those actions reflective of the company’s ethical priorities, core values, and policies?
- Did the company perform a root cause analysis of the misconduct; and if so, what changes to policy or procedure did it make (if any) based upon those findings?
- What did management say about the misconduct issue internally? What meeting minutes, or statement to employees, or other communications could you cite?
When you can provide clear, precise answers to those questions above, you can demonstrate that management has a commitment to compliance through both good times and bad. Then you can have conversations with regulators on much stronger footing, and get to much better resolutions.
To learn more about how NAVEX can help your company implement best practices for a robust compliance program, check out the NAVEX One platform to learn more.